An Overview of Salesforce Security & Compliance Measures

Salesforce has rightfully earned and held on to the title of the “World’s #1 CRM Platform” by going to great lengths to enable their customers to access to their data across all devices, all while ensuring the data is protected from unauthorized access. As the adage goes, “Security is only as strong or weak as the weakest link in the chain.” Salesforce, from its early days, recognized its part in its customers’ security chain and has taken all measures possible to protect customer data at every layer of the OSI model. They also offer powerful and flexible tools to their customers to secure their data exactly the way they want. Let’s look at the tools in each of these categories.

Infrastructure

• Salesforce’s office sites, development centers, support, and data centers are secured by state-of-the-art technologies and are ISO 270001, ISO 27017, and ISO 27018 certified by an independent party.
• Salesforce hosts multiple tenants on the same shared set of resources. Tenants are completely isolated from each other via an “Organization ID”.
• In addition, the platform is HIPAA, FedRAMP, and GDPR compliant. A full list of Salesforce’s certifications may be found here.
• These security measures are entirely under the control of Salesforce and have been made available to the general public for informational purposes alone. The ones below are more important to the Salesforce customer and require careful review, planning, and execution.

Encryption

• All data is encrypted using TLS 1.2 the moment it leaves the user’s browser or mobile device. Data is always encrypted as it moves around within Salesforce’s own networks.
• Salesforce offers the ability to encrypt data in sensitive fields at no extra cost, so they may only be accessed by authorized users
• For an additional cost, customers may purchase Salesforce Shield, which encrypts all customer data, at rest.

Real-time Monitoring

• Salesforce offers event monitoring at an additional cost for Enhanced Transaction Security and Threat Detection.
  • Enhanced Transaction Security offers customers the ability to define policies around sensitive operations such as login, API access, and reporting.
  • Threat Detection alerts customers in real-time to unauthorized access from session hijacking, credential Stuffing and other anomalies

Authorization

• Salesforce offers a myriad of ways for customers to log in, ranging from traditional password-based logins to SAML or OAuth-based SSO.
• In addition, users also have the option of a wide range of two-factor authentication mechanisms. The simplest one (which all users are enrolled in, by default) is through an activation code emailed to the user. Other options include text messages to the user’s registered phone, Salesforce Authenticator App, or a physical security key.

Application Security

• The final and the most important piece of the security chain, from a customer’s perspective, are the security configuration options in the Salesforce app itself.
  • System and Object access levels
    • Profiles control Create, Read, Delete and Edit access to objects as well as access to fields. They also dictate the scope of what the user can do on the platform.
    • Permission Sets allow additional permissions to be added to the ones provided to a user by their Profile.
    • Permission Set Groups are a recent addition to the platform that allows grouping multiple Permission Sets together. They have been introduced to simplify the metadata representation of a user’s access levels and are projected to make Profiles less relevant soon.
  • Data access levels
    • For a user having at least Read access to an Object, access to individual records is controlled by a combination of Org-Wide Defaults, the User’s Role, the Object’s Sharing Rules, and Record Ownership. In addition, there are features like Sharing Sets, Queue Membership, Enterprise Territory Management, Manual Sharing, and Account/Sales and Case Teams that can provide a user access to certain records.
  • Process execution contexts
    • Custom Screens and Automations designed on the Platform using Code or Flows may be run under the System Context or User Context. It requires careful planning and execution on the part of an admin or developer to ensure these processes always run with the least privileges necessary and don’t turn into attack surfaces, or inadvertently expose sensitive customer information

The features listed above are merely an overview. There are many intricacies to configuring and fine-tuning data security in Salesforce. Although most small-to-midsize customers start out with an “open” model, where access to data is pretty much unrestricted to all users, the approach may not be suited to all customers and can quickly prove inadequate as the user list starts growing.

Careful planning and execution, driven by an experienced Salesforce Consultant or Administrator can end up saving you a lot of time and money as you start to scale usage of the Platform. At the same time, a lack of proper planning and improper implementation can end up costing you time, money, and customer goodwill.

Vertex Computer Systems is a trusted Salesforce Solutions Provider with specializations in Sales Cloud, Service Cloud, and Business Process Automation & Transformation. If you would like to schedule a Salesforce security audit or just learn more about Salesforce security, please contact us.